apache/mod_fcgid: The latest CVE Vulnerabilities and Exploits for Penetration Test
apache/mod_fcgid Vulnerability Summary
- Vendor name: apache
- Product name: mod_fcgid
- Total vulnerabilities: 4 (as 2023-05-04)
apache/mod_fcgid Vulnerability List
CVE-2016-1000104: A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07.
Published: 2019-12-03T22:15:00 Last Modified: 2020-02-03T18:15:00
Summary
A security Bypass vulnerability exists in the FcgidPassHeader Proxy in mod_fcgid through 2016-07-07.
Common Weakness Enumeration (CWE): CWE-20: Improper Input Validation
CWE Description: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Scores
- Impact Score: 6.4
- Exploitability Score: 8.0
- CVSS: 6.5
- CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Impact
- Availability: PARTIAL
- Confidentiality: PARTIAL
- Integrity: PARTIAL
Access
- Authentication: SINGLE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2016-1000104 vulnerability.
References
- http://lists.opensuse.org/opensuse-updates/2016-08/msg00084.html
- https://www.tenable.com/security/tns-2017-04
- http://www.openwall.com/lists/oss-security/2016/07/18/6
- http://www.securityfocus.com/bid/91822
See also: All popular products CVE Vulnerabilities of apache
CVE-2013-4365: Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the…
Published: 2013-10-17T23:55:00 Last Modified: 2020-11-16T20:47:00
Summary
Heap-based buffer overflow in the fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.9 for the Apache HTTP Server allows remote attackers to have an unspecified impact via unknown vectors.
Common Weakness Enumeration (CWE): CWE-787: Out-of-bounds Write
CWE Description: The software writes data past the end, or before the beginning, of the intended buffer.
Scores
- Impact Score: 6.4
- Exploitability Score: 10.0
- CVSS: 7.5
- CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Impact
- Availability: PARTIAL
- Confidentiality: PARTIAL
- Integrity: PARTIAL
Access
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2013-4365 vulnerability.
References
- http://www.mail-archive.com/dev@httpd.apache.org/msg58077.html
- http://secunia.com/advisories/55197
- http://svn.apache.org/viewvc?view=revision&revision=1527362
- http://www.debian.org/security/2013/dsa-2778
- http://lists.opensuse.org/opensuse-updates/2013-10/msg00055.html
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00011.html
- http://lists.opensuse.org/opensuse-updates/2013-11/msg00024.html
- http://lists.opensuse.org/opensuse-updates/2013-10/msg00059.html
- http://www.securityfocus.com/bid/62939
See also: All popular products CVE Vulnerabilities of apache
CVE-2012-1181: fcgid_spawn_ctl.c in the mod_fcgid module 2.3.6 for the Apache HTTP Server does not recognize the…
Published: 2012-03-19T21:55:00 Last Modified: 2017-08-29T01:31:00
Summary
fcgid_spawn_ctl.c in the mod_fcgid module 2.3.6 for the Apache HTTP Server does not recognize the FcgidMaxProcessesPerClass directive for a virtual host, which makes it easier for remote attackers to cause a denial of service (memory consumption) via a series of HTTP requests that triggers a process count higher than the intended limit.
Common Weakness Enumeration (CWE): CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE Description: The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
Scores
- Impact Score: 2.9
- Exploitability Score: 10.0
- CVSS: 5.0
- CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Impact
- Availability: PARTIAL
- Confidentiality: NONE
- Integrity: NONE
Access
- Authentication: NONE
- Complexity: LOW
- Vector: NETWORK
Currently, there is no code for exploiting the CVE-2012-1181 vulnerability.
References
- http://www.openwall.com/lists/oss-security/2012/03/16/2
- https://issues.apache.org/bugzilla/show_bug.cgi?id=49902
- http://www.openwall.com/lists/oss-security/2012/03/15/10
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=615814
- http://www.securityfocus.com/bid/52565
- http://www.debian.org/security/2012/dsa-2436
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74181
See also: All popular products CVE Vulnerabilities of apache
CVE-2010-3872: The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for…
Published: 2010-11-22T12:54:00 Last Modified: 2017-08-17T01:33:00
Summary
The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for the Apache HTTP Server does not use bytewise pointer arithmetic in certain circumstances, which has unspecified impact and attack vectors related to “untrusted FastCGI applications” and a “stack buffer overwrite.”
Common Weakness Enumeration (CWE): CWE-189: Numeric Errors
CWE Description: Weaknesses in this category are related to improper calculation or conversion of numbers.
Scores
- Impact Score: 10.0
- Exploitability Score: 3.9
- CVSS: 7.2
- CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Impact
- Availability: COMPLETE
- Confidentiality: COMPLETE
- Integrity: COMPLETE
Access
- Authentication: NONE
- Complexity: LOW
- Vector: LOCAL
Currently, there is no code for exploiting the CVE-2010-3872 vulnerability.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050930.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050976.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050932.html
- http://www.vupen.com/english/advisories/2010/2998
- http://secunia.com/advisories/42288
- http://secunia.com/advisories/42302
- http://www.vupen.com/english/advisories/2010/2997
- http://osvdb.org/69275
- http://www.gossamer-threads.com/lists/apache/announce/391406
- https://issues.apache.org/bugzilla/show_bug.cgi?id=49406
- http://secunia.com/advisories/42815
- http://www.vupen.com/english/advisories/2011/0031
- http://www.securityfocus.com/bid/44900
- http://www.debian.org/security/2010/dsa-2140
- http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00005.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/63303
See also: All popular products CVE Vulnerabilities of apache